The basic concept
For those of you who know Linux, in addition to firewell, there is also an iptables system that can restrict access to server ports
Iptables is not really a firewall, but rather a client proxy that allows users to implement their security Settings into a “security framework” that is a real firewall. The framework is called Netfilter Iptables and it’s a command-line tool that sits in user space. We use this tool to operate the real framework netfilter/ Iptables, which is the packet filtering firewall for Linux. Netfilter implements packet filtering, packet redirection, and network address translation. Netfilter is a packet processing module in the core layer of the Linux operating system. It provides the following functions:
- Network Address Translate
- Packet Content modification
- Firewall function for packet filtering
So, we use service iptables start to start the iptables “service”, but iptables does not have a daemon, so it is not really a service, but a kernel function
When the outside world requests the service in the server, it enters from the network card first, then passes through the kernel space, the rule chain INPUT, and goes to the logic of the corresponding address in the user space. When the program of the user space returns after processing the request, it also enters the kernel space from the user space first, passes through the rule chain OUTPUT, and finally goes out through the network card
Specifically, a request enters the server and returns to leave the server through a chain of rules like this
Rules of the chain
Iptables -l -n: iptables -l -n: iptables -l -n: iptables
For example, if I now have a request from 127.0.0.1 to port 6379 that matches from top to bottom, the first rule will match. For the first rule, we write ACCEPT, which means let go, so the request will leave the INPUT rule chain and will be let go regardless of any subsequent rules
Or let’s say I have a request from 192.168.22.10 for port 6379 and the first rule doesn’t match, so I check rule number two and rule number two matches all IP access to port 6379, REJECT, so the request matches rule number two, It then leaves the INPUT rule chain and the request packet is rejected, sending a rejection message to the source if necessary. Although this rule matches all IP addresses accessing port 6379, if 127.0.0.1 accesses 6379, the request matches the first rule and is allowed. Rule 2 doesn’t apply at all, so the setup shown in the screenshot allows only 127.0.0.1 access to port 6379 and disables access to other IP addresses
For example, I now have a request to port 8000 from 192.168.22.10 that does not match rules 1 and 2, so it will execute the default rule of the INPUT chain after going through the INPUT chain, which is the first line in parentheses in the screenshot, ACCEPT
We can even write the regular chain as switch
{switch beyond constant-like requestcaserequest6379The port && request comes from127.0. 01.:
return ACCEPT
caserequest6379The port && request comes from0.0. 0. 0:
return REJECT
default:
return ACCEPT
}
Copy the codeIn addition to [ACCEPT] and [REJECT], there are several processing methods, which can be selected as required
| To deal with | The effect |
|---|---|
| ACCEPT | release |
| REJECT | Reject the data packet. If necessary, a response message will be sent to the data sender. The client will receive the rejection message as soon as the request is made |
| DROP | The packet is discarded without any response, and the client typically waits until time out |
| SNAT | Source ADDRESS translation enables Intranet users to access the Internet using the same public IP address |
| MASQUERADE | SNAT is a special form of SNAT that is applicable to dynamic and temporary IP addresses |
| DNAT | Target address translation |
| REDIRECT | Perform port mapping on the local host |
| LOG | Log messages in the /var/log/messages file, and then pass the packet to the next rule, that is, do nothing with the packet except log it, and still let the next rule match it |
Note that there are not only four rule chains mentioned above. For example, DOCKER will register its own rule chain for DOCKER service management. If you want to write iptables rules for DOCKER service, you can only write them in the DOCKER rule chain. Writing to INPUT will not work (see iptables configuring Docker service port access limits). For details, you can run iptables -l -n to view all the rule chains on your server
Command syntax
Query rules
Query all rule chains on the server
iptables -L -n
Copy the codeQuery all rule chains on the server with a number
iptables -L -n --line-number
Copy the codeQuery the rules of the specified rule chain
Iptables -l Rule chainCopy the codeThe new rules
Iptables -i DOCKER -s match IP -p communication protocol --dport match port -j Execute rule iptables -I DOCKER -s 127.0.0.1 -p TCP --dport 6379 -j ACCEPTCopy the code| parameter | The effect |
|---|---|
| -i rule chains | This rule is added to the head of the specified rule chain. This rule is called “match first” if you want to write several rules in a row. |
| -i Indicates the rule number of the rule chain | If a rule number is added to the rule chain when -i is used, this rule is inserted to the specified position of the rule chain, and the original position of the rule is moved down |
| Chains – A rule | This rule is added to the end of the specified rule chain, which is called last match. If you write several rules in a row, this rule is called write first match. |
| -d Indicates the rule number of the rule chain | Delete rules; See below for details |
| -r Indicates the rule number of the rule chain | If you modify a rule, the rule whose id is specified will directly replace the original rule. The syntax of other parameters is the same as that of -i |
| parameter | The effect |
|---|---|
| The -s matching IP | Set the IP address to be matched by this rule. If you write 0.0.0.0 or do not write this parameter, all IP addresses are matched |
| -p Indicates the communication protocol | Set the matched communication protocol. Common values are TCP, UDP, ICMP, and all |
| –dport Indicates the destination port | Set the target port matched by this rule [port accessed on the local machine]. |
| –sport Source port | Set the port from which this rule matches the request [port from which requests are sent to us]. |
| -j Executes rules | Set the behavior of a matching rule. For details, refer to the processing table in the previous chapter |
Delete rules
Since there may be many iptables rules on a server, we use the iptables -l -n –line-number command to view the numbered iptables rules before deleting them, and then delete the numbered iptables rules
Command for viewing rule numbers iptables -l -n --line-number Command template for deleting rules iptables -d rule chain Rule number The following is an example command iptables -d INPUT 2Copy the codeSetting default Rules
Command template for setting default rules iptables -p rule chain Execution rules The following is the example command iptables -p INPUT ACCEPTCopy the code
Rename rule
iptables -E oldname newname
Copy the codeIt’s easy to understand. I won’t explain it any more
Clear all Rules
iptables -F
Copy the codeJust think it through before you do it
Reference documentation
- Linux: configure iptables in CentOS7
- Iptables description (1) : Iptables concepts
- CentOS 7 Iptables installation and use
- How does a Linux server remove iptables rules?